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IN THE CLAIMS: 

Please find below a listing of all pending claims. The statuses of the claims 
are set forth in parentheses. For those currently amended claims, underlined 
emphasis indicates insertions and str i kcthrough emphasis (and/or double brackets) 
indicates deletions. 

1. (Currently Amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging 
whether the communication is executed by a worm, the computer program causing a 
computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on sett i ng informat i on — inc l ud i ng un i t t i me for 
measuremen t parameters ; 

judging whether the communicat i on is c ommunication has been being 
executed by the worm based on the information acquired and a predetermined 
judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the communication 
upon i t be i ng judged at the judg i ng that the commun i cation is judged to have been 
executed by the worm at the judging : 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting; and 

measurement parameters when the communication is judged to have been executed 
by the worm at the judging, 

wherein the acquiring includes acquiring , based on the measurement 
parameters changed at the changing, the information based on the setting 
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in forma tio n changed at the changing on the communication judged to have been 
executed by the worm at the judging . 

2. (Canceled) 

3. (Currently Amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging 
whether the communication is executed by a worm, the computer program causing a 
computer to perform: 

acquiring information related to a traffic and a communication address of a 

communication packet based on- setting- -inferfnation- - i n cl u di ng - - t ml t - ti m e fo r 

measuremen t parameters : 

judging whether the communication-i s has been e xecuted by the worm based 
on the information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the communication 
upon i t be i ng judged at the judg i ng that the commun i cat i on i sj udged to have been 
executed by the worm at the judging ; 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting; and 

the communication is judged to have been e xecuted by the worm at the judging, 
wherein 

the judging includes further judging whether th e commun i cation — is 
communication judged to have been executed by the worm at the judging has been 
executed by the worm based on the information acquired and the judgment criteria 
changed at the changing. 
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4. (Previously Presented) The computer-readable recording medium according 
to claim 1, wherein the judging includes judging that a communication from a 
computer that is in the predetermined network segment is executed by the worm 
when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 

5. (Currently Amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging 
whether the communication is executed by a worm, the computer program causing a 
computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information inc l uding unit time for 
measuremen t parameters ; 



first judging whether a computer in the predetermined network segment is 
infected by the worm based on the information acquired and a predetermined 
judgment criteria; 

second judging whether a plurality of computers in the predetermined 
network segment are infected by the worm; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the first judging that the computer is infected by the worm; 
and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting, wherein 



4 



PATENT 



Docket No.: 1924.70199 
App. Ser. No.: 10/812,622 



the second judging includes judging that a plurality of computers in the 
predetermined network segment are infected by the worm when all three conditions 
are satisfied, the three conditions being that 

a communication from the computer in the predetermined network segment 
is judged to be infected by the worm at the first judging, 

there is an i ncrease i n a number of communication packets that are 
transmitted from the predetermined network segment to the outside becomes 
greater than a number of the communication packets transmitted from the 
predetermined network segment to the outside when the computer is judged to be 
infected by the worm at the first judging, and 

a number of destination addresses of the communication packets that are 
transmitted from the predetermined network segment to the outside becomes 
greater than a number of destination addresses of the communication packets 
transmitted from the predetermined network segment to the outside when the 
computer is judged to be infected by the worm at the first judging. 

6-7. (Canceled) 

8. (Currently Amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging 
whether the communication is executed by a worm, the computer program causing a 
computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on sotting i nformation i nc l uding un i t time for 
measurement parameters ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 



5 



PATENT 



Docket No.: 1924.70199 
App. Ser. No.: 10/812,622 



extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the 
worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting 

wherein the judging includes predicting identifying a type of the worm by 
comparing features of a first communication judged to be executed by a worm with 
features of a second communication executed by a worm thatHs are recorded in 
advoncc advance, when the first communication is j ud ged to be executed by a worm . 

9-12. (Canceled) 

13. (Currently Amended) A method for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

acquiring information related to a traffic and a communication address of a 
communication packet based on sett i ng informat i o n includi n g unit time f o r 
measurement parameters ; 

judging whether the communication-i s has been executed by the worm based 
on the information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the communication 
upon i t be i ng judged at the judg i ng that the communication is judged to have been 
executed by the worm at the judging ; 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting; and 
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changing the sett i ng i nformation upon i t being judged at the judging that 
measurement parameters when the communication is judged to have been executed 
by the worm at the judging , 

wherein the acquiring includes — acqu i r i ng acquiring, based on the 
measurement parameters changed at the changing, the information based on the 
sett i ng informat i on changed ot the chang i ng on the communication judged to have 
been executed bv the worm at the judging . 

14. (Canceled) 

15. (Currently Amended) A device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on sett i ng i nformat i on 
i nc l uding un i t time for measurement parameters: 

a judging unit that judges whether the communication-is has been executed 
by the worm based on the information acquired and a predetermined judgment 
criteria; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon i t be i ng judged -by-the judging unit 
that the commun i cat i on i s judged to have been executed by the worm bv the 
judging unit; 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit; and 

a setting changing unit that changes th e sett i ng i nformat i on - upon - t t - be i ng 
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judged by the judging un i t that measurement parameters when the communication 



the acquiring unit acqu i r es acquires, based on the measurement parameters 
changed by the setting changing unit, t he information based on the sett i ng 
i nformat i on changed by the sotting chang i ng un i t on the communication judged to 
have been e xecuted by the worm by the judg ing unit. 

16. (Currently Amended) A device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting informat i on 




a judging unit that judges whether the communication-is has been executed 
by the worm based on the information acquired and a predetermined judgment 
criteria; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it b e ing judg e d by the judging un i t 
that the co mmunication i s judged to have been executed by the worm by the 
judging unit: 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit; and 

a setting changing unit that changes the judgment criteria upon i t be i ng 
judged by th e judging un i t that when the communication is judged to have been 
executed by the worm by the judging unit , wherein 

the judging unit further judges whether the communication-is judged to have 



is. 




.executed by the worm by the judging unit , wherein 





measurement parameters ; 
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been executed by the worm by the judging unit has been executed by the worm 
based on the information acquired by the acquiring unit and the judgment criteria 
ch3nQsd citi the choncjincj by the scttincj ch9nc)incj unit * 

17. (Previously Presented) The device according to claim 15, wherein the judging 
unit judges that a communication from a computer that is in the predetermined 
network segment is executed by the worm when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 

18. (Currently Amended) A device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on s ett i ng informot i on 
i nc l ud i ng unit time for measuremen t parameters ; 

a judging unit that judges at a first time whether a computer in the 
predetermined network segment is infected by the worm based on the information 
acquired and a predetermined judgment criteria, and judges at a second time 
whether a plurality of computers in the predetermined network segment are infected 
by the worm; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged at the first time by 
the judging unit that the computer is infected by the worm; 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
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information extracting unit, 

wherein the judging unit judges at the second time that a plurality of 
computers in the predetermined network segment are infected by the worm when all 
three conditi ons are satisfied, the three conditions being that 

a communication from the computer in the predetermined network segment 
is judged at the first time to be infected by the worm, 



transmitted from the predetermined network segment to the outside becomes 
greater than a number of the communication packets tr ansmitted from the 
predetermined network segment to the outside when the computer is iudaed at the 
first time to be infected by the worm , and 

a number of destination addresses of the communication packets that are 
transmitted from the predetermined network segment to the outside becomes 
greater than a number of destination addresses of the communication packets 
transmitted from the predetermined network segment to the outside when the 
computer is judged at the first time to be infected by the worm. 

19-21. (Canceled) 

22. (Currently Amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging 
whether the communication is executed by a worm, the computer program causing a 
computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on- s e tt i ng i nformat i on i nc l ud i ng unit time for 
measuremen t parameters : 

judging whether the communication-i s has been executed by the worm based 
on the information acquired and a predetermined judgment criteria; 




.number of communication packets that are 
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extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the communication 
upon it being ludqod at the judging that the commun i cat i on i s judged to have been 
executed by the worm at the judging : and 

blocking the communication packet that is transmitted between the 
predetermined network segment and tine outside of the predetermined network 
segment based on the reference information extracted at the extracting, 

wherein the extracting includes summing up a number of the communication 
packets for each port number, the communication packets being transmitted in the 
comm un ication-H opon i t be i ng - judge d triat _when_the communication is judged to have 
been executed by the worm at the judging, and extracting as the reference 
information, a most frequently appeared port number of the communication packets 
transmitted in the communication upon it being judged that th e commun i cat i on is 




23. (Currently Amended) A method for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

acquiring information related to a traffic and a communication address of a 
communication packet based on s ett i ng informat i on inc l ud i ng un i t t i me for 
measurement parameters : 

judging whether the communication-i s has been executed by the worm based 
on the information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the communication 
upon it be i ng judged at the judg i ng that the communicat i on i s judged to have been 
executed by the worm at the judging; and 





.executed by the worm at the judging. 
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blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting, 

wherein the extracting includes summing up a number of the communication 
packets for each port number, the communication packets being transmitted in the 
communication upon it be i ng judg ed tha t when the communication is jud ged to have 
been executed by the worm at the judging, and extracting as the reference 
information, a most frequently appeared port number of the communication packets 
transmitted in the communication-t 

en executed by the worm at the judging. 



24. (Currently Amended) A device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on sett i ng i nformation 
inc l ud i ng un i t time for measuremen t parameters ; 

a judging unit that judges whether the communication-is has been executed 
by the worm based on the information acquired and a predetermined judgment 
criteria; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it be i ng judged by the judg i ng un i t 
that the commun i cation i s judged to have been executed by the worm by the 
judging unit ; and 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit. 
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wherein the reference information extracting unit sums up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the communication upon it being judged that when the 
communication is judged to have been e xecuted by the worm by the judging unit, 
and extracts, as the reference information, a most frequently appeared port number 
of the communication packets transmitted in the communication upon it be i ng 
judged that the commun i cation is judged to have been executed by the worm by the 
judging unit. 

25. (Currently Amended) A computer-readable recording medium for storing a 
computer program for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging 
whether the communication is executed by a worm, the computer program causing a 
computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting informat i on inc l ud i ng unit t i me for 
measurement parameters ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the 
worm; 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting, 

wherein the extracting further includes summing up, for each direction of 
communication of a packet transmitted out from the predetermined network 
segment or transmitted to the predetermined network segment, a number of the 
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communication packets transmitted in the communication upon it being judged that 
the communication is executed by the worm at the judging, and extracting, as the 
reference information, a direction of the communication wherein the number of the 
communication packets is over a threshold value. 

26. (Canceled) 

27. (Currently Amended) A method for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information inc l uding unit time f or 
measuremen t parameters ; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to be 
blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the 
worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network 
segment based on the reference information extracted at the extracting, 

wherein the extracting further includes summing up, for each direction of 
communication of a packet transmitted out from the predetermined network 
segment or transmitted to the predetermined network segment, a number of the 
communication packets transmitted in the communication upon it being judged that 
the communication is executed by the worm at the judging, and extracting, as the 
reference information, a direction of the communication wherein the number of the 
communication packets is over a threshold value. 
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28. (Currently Amended) A device for detecting a worm by monitoring a 
communication of a predetermined network segment that is connected to a network 
and judging whether the communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setti ng information 
i nc l ud i ng un i t time for measurement parameters ; 

a judging unit that judges whether the communication is executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the judging unit 
that the communication is executed by the worm; 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit, 

wherein the reference information extracting unit further sums up, for each 
direction of communication of a packet transmitted out from the predetermined 
network segment or transmitted to the predetermined network segment, a number 
of the communication packets transmitted in the communication upon it being 
judged that the communication is executed bv the worm by the judging unit, and 
extracts, as the reference information, a direction of the communication wherein the 
number of the communication packets is over a threshold value. 

29-33. (Canceled) 
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34. (Currently Amended) A device for cutting off a communication executed by a 
worm by monitoring the communication between a predetermined network segment 
and outside of the predetermined network segment, comprising: 

a worm judging unit that judges whether a communication-is has been 
executed by the worm; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communicatio n upon i t being judged by the worm judging 



a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit, 

wherein the reference information extracting unit sums up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the communication— upon — i t being iudacd thot when the 
communication is judged to have been executed by the worm by the worm j udging 
unit, and extracts, as the reference information, a most frequently appearing port 
number of the communication packets transmitted in the communication upon i t 
being judged by the worm judging un i t that the commun i c ati on i s judged to have 
beenexecuted by the worm by the worm judging unit. 

35. (Previously Presented) A device for cutting off a communication executed by 
a worm by monitoring the communication between a predetermined network 
segment and outside of the predetermined network segment, comprising: 

a worm judging unit that judges whether a communication is executed by the 

worm; 

a reference information extracting unit that extracts reference information for 
identifying a communication packet to be blocked from a plurality of communication 




judged to have been executed by the worm; and 
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packets transmitted in the communication upon it being judged by the worm judging 
unit that the communication is executed by the worm; and 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit, 

wherein the reference information extracting unit further sums up, for each 
direction of communication of a packet transmitted out from the predetermined 
network segment or transmitted to the predetermined network segment, a number 
of the communication packets transmitted in the communication upon it being 
judged by the worm judging unit that the communication is executed by the worm, 
and extracts, as the reference information, a direction of the communication wherein 
the number of the communication packets is over a threshold value. 

36-40. (Canceled) 

41. (Previously Presented) The computer-readable recording medium according 
to claim 3, wherein the judging includes judging that a communication from a 
computer that is in the predetermined network segment is executed by the worm 
when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 

42. (Canceled) 

43. (Previously Presented) The computer-readable recording medium according 
to claim 8, wherein the judging includes judging that a communication from a 
computer that is in the predetermined network segment is executed by the worm 
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when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 
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